I found the solution for my problem here
Using a custom authorization attribute for redirect to the "AccessDenied" page
Question
Hi guys i m having a problem with CustomErrors in web.config, i'm trying to show a custom page for the error 401, but when a user try to access the controller and haven't authorization.
In this case the return is 302 but must be 401, i tried to use the Application_EndRequest() in Global.asax to change the Response.Status Code :
void Application_EndRequest(object sender, EventArgs e)
{
if (Context.Response.StatusCode == 302)
{
Context.Response.Clear();
Context.Response.StatusCode = 401;
}
}
with this the error returned is the 401 but the page of custom errors is not displayed, just a default message of IIS
Unauthorized: Access is denied due to invalid credentials
how can i make the custom errors show the right page for 401 error ?
Solution 2
I found the solution for my problem here
Using a custom authorization attribute for redirect to the "AccessDenied" page
OTHER TIPS
If you are using Forms Authentication, then 401 is handled internally by ASP.NET and used in the Challenge/Response mechanism for authentication. When you use authentication, you specify a login page, and when a user is not authorized, they are redirect to that page to log in.
There is a difference between a 401, which unauthorized and 403, which is Forbidden.
If you're using Windows Authentication, Digest, or Basic then you will get a 401 Challenge popup. ASP.NET intercepts 401 so that you don't get popups, and can instead deal with authentication errors in forms.
Take a look at the solution for custom errors in MVC answered on another question within stackoverflow at https://stackoverflow.com/a/620559/686674
You want to override Application_Error rather than Application_EndRequest.